Description
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
Published: 2026-06-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The web administration panel of the Acer Connect M6E 5G Portable WiFi Router listens on the entire public IPv6 address space on port 8080 without any default firewall restrictions, exposing internal API endpoints to the WAN. An attacker who can reach the device’s IPv6 address can access these APIs without authentication, potentially enabling configuration changes, data exfiltration, or further compromise of the network device. This represents a moderate severity vulnerability that could be leveraged for unauthorized remote management.

Affected Systems

Acer Connect M6E 5G Portable WiFi Router is affected. Specific firmware or version information is not provided in the available data, so all released firmware releases that include the default IPv6 binding behavior are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate impact and the lack of an available EPSS score or KEV listing suggests limited known exploitation, but the lack of firewall barriers makes the vulnerability potentially exploitable by anyone who can route traffic to the device’s IPv6 address on port 8080. An attacker would leverage the broad IPv6 binding to access internal administrative APIs, exploiting the CWE-200 weakness of information exposure. The risk is heightened if the device is exposed behind a public IP without additional network isolation.

Generated by OpenCVE AI on June 4, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict inbound IPv6 traffic to port 8080 using the device’s firewall or network ACLs, blocking WAN access to the web administration panel.
  • If possible, configure the administration panel to bind only to the local interface or to a private IPv6 subnet that is not routable from the public Internet.
  • Apply the latest firmware update from Acer that addresses the improper IPv6 binding when it becomes available.
  • As a temporary measure, disable IPv6 on the device or isolate the router from the public WAN network to prevent external reachability of the management interfaces.

Generated by OpenCVE AI on June 4, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
Title Unauthenticated IPv6 WAN Management Exposure
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:56:40.589Z

Reserved: 2026-06-04T09:22:14.581Z

Link: CVE-2026-50224

cve-icon Vulnrichment

Updated: 2026-06-04T12:56:33.719Z

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:40.003

Modified: 2026-06-04T10:16:40.003

Link: CVE-2026-50224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T11:30:12Z

Weaknesses